Running Movere Without Domain Administrator Privileges

If a customer would prefer to use alternative credentials then our recommendation would be to create an appropriately titled Active Directory Security Group e.g. ‘AdminLocal’, assuming one doesn’t already exist.

Step 1:

If a new security group does need to be created, then Group Scope will need to be specified:

There are three different Group Scopes; Domain local, Global and Universal. The scope controls who can be member of the group and where the group can be used.

• Domain local groups: Only visible in their own domain and are used to grant rights and permissions to resources in the same domain.

CAN CONTAIN: Domain Local groups from their own domain, Global groups from trusted domains and any domain in a forest, Universal groups from trusted domains and any domain in a forest.

• Global groups: Visible throughout the forest, but can only contain accounts and Global groups from the same domain. These groups can be members of Domain local and Universal groups and are most often used to organize resources across domains. We do not recommend assigning permissions directly to a Global group as Domain local groups are more appropriate for this.

CAN CONTAIN: Global groups from the in the same domain.

• Universal groups: Visible throughout a forest and can contain accounts, Global groups and other Universal groups from any domain in a forest, but they cannot contain Domain local groups. Universal groups are typically used to nest Global groups to administer access to resources across multiple domains.

CAN CONTAIN: Global and Universal groups from any domain in a forest.

Step 2:

Create a dedicated service account for Movere to use. This allows customer to track Movere’s movements and as a service account we recommend using a strong password that does not expire. This will avoid login errors if Movere is installed as a service on the Windows device the Movere Console is being run from.

Step 3:

The service account created above now needs to be added to the security group created in Step 1.

Step 4:

This is the most complex step, in terms of which group policy/policies to add the new security group to. For example, there may be a single default domain policy or there could be policies specific to all devices, servers only, workstations only or a subset of one or both.

The newly created security group will use the ‘Default Domain Policy’, which applies to all Windows devices in this domain. To add the group, open the Group Policy Management console:

Open: Computer Configuration / Preferences / Control Panel Settings then right click on Local Users and Groups to add a new Local Group:

Then select the Group name: Administrator (built-in):

Next, click the "Add…" button and add the Movere Service account created in Step 2 above:

Once added you should see an Update action:

NOTE: By default, Computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. In addition to background updates, Group Policy for Computers is always updated when the system starts.

To immediately test that the Group Policy change has worked, (without waiting for replication to occur or for the endpoint to reboot), force an update from a command prompt using this command: gpupdate /force

NOTE: This will ONLY impact the device this command is run on. For ALL Windows devices in the domain to be updated, we recommend waiting at least 2 hours for the group policy change to propagate.

Here is a scan run against a device using the io\movsvr account created above before the device group policy was updated with the local admin change:

The scan failed as the account was unable to access the admin share on this device.

Next connect to this device and force a group policy update:

Next, attempt to scan it again using the io\movsvr account:

The scan using the io\movsvr account is now successful as Movere is able to use this account to access the admin share, despite that fact that this is NOT a domain administrator account.